Mastering the Defence Against Social Engineering Tactics

Mastering the Defence Against Social Engineering Tactics

Social engineering stands out for its exploitation of human psychology, where cybercriminals manipulate individuals into willingly compromising their security.

In this cyber security blog post, we'll delve into the nuances of social engineering, exploring its various forms such as pretexting, quid pro quo, baiting, and tailgating. We'll also discuss how the wealth of information available online can become a vulnerability and offer seven crucial strategies for mitigating these risks. By educating our teams and enhancing awareness, we can fortify our defences against these manipulative threats and safeguard our digital environments.

It’s perhaps cliché to say that the internet has great advantages, yet many challenges, but it’s true. As we continue to look to technology for solutions, we not only make our own lives easier but also for cyber threat actors, who range from cybercriminals to rival companies and foreign intelligence agencies. Having such a large attack surface (i.e., all the ways we use technology, from web apps that we use to log issues for the IT department to the cloud service used to enable employees to work remotely) gives them more ways to exploit the wealth of data available online for their nefarious purposes. This underlines the critical importance of understanding and defending against social engineering—a subtle but potent form of cyber manipulation that leverages human weaknesses.

1. Understanding Social Engineering

Social engineering is a strategy employed by hackers to manipulate individuals into divulging sensitive information, such as passwords or financial details. What makes this method particularly effective is its reliance on human psychology, tapping into our natural inclination to trust others. As a result, cybercriminals can often trick individuals into unwittingly compromising their own security.

1.1. Forms of social engineering

Pretexting is a technique in which an attacker creates a fabricated scenario or ‘pretext’ to manipulate their targets into divulging confidential information or performing actions that may compromise security. The goal of pretexting is to establish a false sense of trust and credibility, leading the target to provide information or engage in activities they wouldn't under normal circumstances.

An example of a pretexting scenario is an individual claiming to be from a trusted service provider and requesting personal information for verification purposes.

Quid Pro Quo is a technique where an attacker offers something of value to a target in exchange for specific information, services, or actions. The term is Latin for "something for something," reflecting the essence of this tactic – an exchange or reciprocal arrangement.

An example of a quid pro quo is a person posing as a computer technician who contacts individuals within an organisation. The attacker offers to help with a supposed technical issue by providing remote assistance or installing software. In exchange, they request login credentials or other sensitive information under the guise of needing it for the troubleshooting process.

Baiting exploits the human love of ‘something for free’. An attacker offers something enticing to a target with the goal of manipulating them into taking a specific action.

Some examples of baiting include:

• USB baiting: An attacker leaves infected USB drives in public places, hoping that someone will pick them up and connect them to their computer, inadvertently introducing malware.

• Email baiting: An attacker sends an email with a seemingly interesting link or attachment, enticing the recipient to click on it. The link or attachment, however, leads to a malicious website or contains malware.

• Fake software downloads: Attackers may create fake versions of popular software or tools and offer them for free online. When individuals download and install these programs, they unknowingly compromise the security of their systems.
• Tailgating is the physical tactic that involves unauthorised individuals following employees into restricted areas, taking advantage of their politeness or lack of suspicion.

1.2. The vulnerability of information

The online information environment presents a treasure trove of information that can be exploited by cybercriminals. Social media platforms, company websites, personal blogs and more, often reveal personal and professional details, from job roles to contact information. Armed with this data, hackers can launch targeted attacks, such as spear phishing campaigns.

Recent examples of social engineering attacks, highlighting the evolving sophistication and varied tactics employed by cyber threat actors:

1. MGM Resorts and Caesars Entertainment Attacks: Both MGM Resorts and Caesars Entertainment experienced breaches attributed to social engineering attacks. In these cases, attackers targeted outsourced IT vendors to gain access to the companies’ networks, demonstrating how third-party vendors can be exploited as weak links in cybersecurity.
2. K2A243 (SCATTERED SPIDER) and Microsoft Teams Exploits: Threat actor group K2A243, also known as SCATTERED SPIDER, has been exploiting novel email phishing scams and Microsoft Teams using DARKGATE malware. The group has been particularly effective in using a mix of tactics, including phone and SMS-based attacks, to lure users into exposing their credentials.
3. Fake Fitness Membership Service Emails: Professionals from various firms received fake emails about the commencement of a fitness membership service, with a subsequent charge to their payment card. When these individuals responded, they were led to download Zoho Assist, a remote support software, which then allowed actors to exfiltrate files and demand a ransom to avoid data publication.
4. Midnight Blizzard Attacks via Microsoft Teams: The threat actor Midnight Blizzard, attributed to the Foreign Intelligence Service of the Russian Federation, has been using compromised Microsoft 365 tenants owned by small businesses to launch social engineering attacks. They sent credential theft phishing lures through Microsoft Teams chats, targeting fewer than 40 unique global organisations, mainly in the government, non-government organisations (NGOs), IT services, technology, discrete manufacturing, and media sectors.

2. The Impact of Generative AI on Social Engineering: A Double-Edged Sword

As with all things nowadays we can’t talk about social engineering without discussing AI, this section should probably be its own post. Generative AI, with its ability to create realistic and convincing content, is revolutionising various industries, but it also brings new dimensions to the realm of social engineering in cybersecurity. This technology's dualistic nature makes it both a tool for progress and a potential weapon for cybercriminals.

1. Enhanced Phishing Attacks: Traditional phishing attacks often rely on generic messages, but with generative AI, attackers can craft highly personalised and convincing emails or messages. For instance, using AI, a cybercriminal could analyse a victim's writing style on social media or professional platforms and then mimic this style to create seemingly legitimate emails. These emails could convincingly appear to be from a trusted colleague or friend, thereby increasing the likelihood of the victim divulging sensitive information.
2. Deepfakes in Social Engineering: Generative AI has enabled the creation of deepfakes, which are hyper-realistic video or audio recordings. In a social engineering context, an attacker could use a deepfake to impersonate a high-level executive in a video message, instructing employees to transfer funds or disclose confidential data. The realism of these deepfakes can make it extremely challenging for individuals to discern the deception.
3. AI-Powered Impersonation on Calls: Similarly, AI can be used to clone voices, leading to sophisticated vishing (voice phishing) attacks. Imagine receiving a call from your 'boss'—with the voice indistinguishable from the real person—asking for urgent access to sensitive files. The ability of generative AI to replicate nuances in speech patterns makes these attacks alarmingly credible.

However, it's not all grim. Generative AI also empowers cybersecurity:

1. Training and Preparedness: AI can generate realistic cyberattack scenarios for training purposes, helping cybersecurity professionals and employees better prepare for various social engineering tactics.
2. Detection and Response: Advanced AI algorithms are being developed to detect anomalies in communication patterns, including emails and calls, which could signify a social engineering attack. This proactive detection is crucial in mitigating the risks posed by AI-enabled social engineering.

As generative AI continues to evolve, its impact on social engineering becomes increasingly significant, offering both sophisticated tools for attackers and powerful solutions for defenders. Understanding and adapting to this technology is vital for maintaining robust cybersecurity defences in an ever-evolving digital landscape.

3. Mitigating risks: Educating your people

Knowledge is the most potent weapon in the battle against social engineering threats. Giving your team the insights needed to identify and counter these evolving threats effectively is the best way to mitigate the risks.

Here are the key seven points your team should know:

• Review privacy settings: Ensure your social media profiles are restricted to a limited audience, ideally friends and family, to minimise public visibility.
• Mind your shares: Refrain from posting sensitive information, such as addresses or phone numbers, on public forums.
• Use a dedicated email: Establish a separate email account for social media interactions to facilitate efficient account closure if needed.
• Strengthen passwords: Create robust passwords that are unrelated to personal details, enhancing the security of your online accounts.
• Use antivirus software: Maintain up-to-date antivirus and antispyware protection to defend against malware threats.
• Exercise caution: Be sceptical of urgent or pressure-driven communications, as these are often red flags indicating attempted manipulation.
• Be aware: Stay vigilant in the physical realm; avoid allowing unfamiliar people into secure premises without appropriate identification.

4. Associated Training

MKC Training’s, Cyber Training Alliance (CTA) is a true alliance of trusted Small and Medium Enterprises (SMEs) operating together to the mutual benefit of each company and collectively to the benefit of its customers. The CTA brings together complementary companies to deliver a coherent, powerful, and compelling offering to meet the needs of the ever-evolving cyber market with greater agility and value for money. The CTA was founded by MKC Training to bring together a trusted network of like-minded SMEs to deliver cyber training, delivering real skills rather than theory.

To help you further develop your skills and knowledge in Cyber Training, we've curated a list of relevant training resources. This includes a mix of free and paid options, online courses, certifications, workshops, and webinars. Each resource is briefly described, highlighting its key features, learning outcomes, and target audience.

If you would like to know more about our training capabilities, please contact courses@mkctraining.com for further information or following one of the links below.

• Executive Cyber Awareness - Training Courses
• Cyber Security Fundamentals | NCSC-Certified Course
  
  

About the Author(s)

Lead Author: Keith Buzzard

CTO and Incident Response Specialist, Protection Group International

Connect with me on LinkedIn!

Keith joined PGI in 2013 and until July 2021, led PGI’s Incident Response team. Coming from a defensive and offensive digital security background, he has the experience and insight required to direct and advise on the technological elements of digital security strategies. He understands and is able to provide insight into a mix of approaches, including reverse engineering, signature writing, incident response, forensics, penetration testing, solution design, transformation training / mentoring and vulnerability development and has the ability to translate between senior stakeholders and technical operators in a way that aligns with organisational goals and technical reality.

Co-Author: Trevor Jackson

Founding Director of Metier Solutions Ltd

Connect with me on LinkedIn!

Trevor Jackson is Founding Director of Metier Solutions Ltd, a trusted strategic consultancy specialising in people, organisational performance, training and capability building. Lead training research, consultancy function for QinetiQ's cyber, information and training division and was head of architecture for BAE AI cybers business unit. A proven track record in market analysis, business strategy underscores a multidimensional approach to complex problem-solving.

Authoring Tools: Blog Bunny

An advanced AI developed by OpenAI, GPT content is designed to simplify and explain complex concepts with authority and clarity. Specialising in transforming intricate topics into engaging, easy-to-understand articles, Blog Bunny employs its vast database and research capabilities to ensure factual accuracy and depth. Dedicated to enhancing the educational aspect of blog posts, a source for insightful, well-researched, and expertly written content that resonates with readers across various domains. Blog Bunny can be accessed at Blog Bunny.

Sources:

1.Kroll. (2023) 'Q3 2023 Threat Landscape Report: Social Engineering Takes Center Stage', Kroll. Available at: https://www.kroll.com/en/insights/publications/cyber/threat-intelligence-reports/q3-2023-threat-landscape-report-social-engineering (Accessed: 18 December 2023).

2.Microsoft Security Blog. (2023) 'Midnight Blizzard conducts targeted social engineering over Microsoft Teams', Microsoft Security Blog. Available at: Midnight Blizzard conducts targeted social engineering over Microsoft Teams | Microsoft Security Blog (Accessed: 18 December 2023).

3.IT World Canada. (2023) 'Social engineering attacks on the rise', IT World Canada. Available at: Social engineering attacks on the rise - IT World Canada (Accessed: 18 December 2023).

Other blog posts in this series:

• Navigating the Cyber Security Training Landscape: Key Insights and Market Trends
• Cyber Vigilance: Understanding and Protecting Against Malware Infections
• We Are Only Human - Why Social Engineering is Critical to the Hackers

Disclaimer

Please note that parts of this post were assisted by an Artificial Intelligence (AI) tool. The AI has been used to generate certain content and provide information synthesis. While every effort has been made to ensure accuracy, the AI's contributions are based on its training data and algorithms and should be considered as supplementary information.